Need help mapping MITRE Tactics and Techniques from Azure Sentinel

TravisOC · ‎01-13-2025

Hi Community,

We’re currently implementing Security Incident Response (SIR) for a customer using the Microsoft Azure Sentinel integration. They’re looking to include MITRE ATT&CK information (Tactics and Techniques) in their Security Incidents; however, they do not appear to be licensed for the full Threat Intelligence suite. We do see raw data from Sentinel that includes both the Tactics and Techniques (T-numbers), and we also have the Technique Extraction Rules table (part of Threat Intelligence common, which ships with SIR).

Is there a way to bring this MITRE data into Security Incidents without having the full TI plugin/license? Any insights or best practices on how to accomplish this would be greatly appreciated!

Thanks in advance!

Dhruv Gupta1 · ‎01-22-2025

I have implemented MITRE att&ck framework recently. I can provide details.

TravisOC · ‎01-24-2025

Yes, please

PritamG · ‎01-24-2025

Yes, it’s possible without the full Threat Intelligence (TI) license.

extract Tactics and Techniques from Sentinel data. use the raw data from Azure Sentinel to identify the MITRE ATT&CK Tactics and Techniques

leverage the Technique Extraction Rules table. map the extracted Tactics and Techniques from Sentinel data to entries in the Technique Extraction Rules table.

automate Population in Security Incidents. write a script in your SIR workflows or business rules to populate Security Incidents with the Tactics and Techniques by matching the Sentinel data with the rules in the Technique Extraction Rules table.

Dhruv Gupta1 · ‎01-24-2025

So first thing you need not get tisc but you would need ti plugin.